OpenSSL-3.+ how to configure [random]?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Nov 10 22:37:26 UTC 2021 

On 11/10/21, 15:20, "openssl-users on behalf of Dr Paul Dale" <openssl-users-bounces at openssl.org on behalf of pauli at openssl.org> wrote:
>
>  I'm pretty sure the underlying problem is that there is a call to 
>  RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the 
>  latter).

Probably...

>  These completely replace the built in RNG infrastructure with the 
>  RAND_METHOD/engine.  If the engine then fails to produce output for any 
>  reason, the observed results will present.

And randomness retrieval in PKCS#11 engine is broken, because otherwise it would've gotten some randomness form the hardware token, right?

>  Adding the RDRAND engine again replaces the RAND_METHOD and things begin 
>  working.

Yes...

>  I've no idea why the PKCS#11 engine has stopped working with 3.0. It 
>  wasn't meant to.

This made me questioning what's going on. It's been quite some time since I updated 'pkcs11' engine for OSSL-1.1.1.

And I observe that the current version of the PKCS#11 engine does not work correctly, i.e., does not serve randomness, on OpenSSL-1.1.1 *and* 3.x.

$ OPENSSL_CONF="" openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
$ OPENSSL_CONF="" openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl-1.1 rand -engine pkcs11 -hex 8
engine "pkcs11" set.
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl version
OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl rand -hex 8
71f7744c5190385f
$

I'll bring this up with its maintainers.

Thanks!


    On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote:
    > Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes - the same solution worked.
    >
    > There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider.
    > In any case, removing PKCS#11 engine from the [engines] section alleviated this problem.
    >
    > Thanks!
    >
    > P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211110/f01ccea5/attachment-0001.bin>

More information about the openssl-users mailing list